Show HN: Trayce – Network tab for Docker containers
1 year ago (trayce.dev)
Trayce (https://github.com/evanrolfe/trayce_gui) is an open source desktop application which monitors HTTP(S) traffic to Docker containers on your machine. It uses EBPF to achieve zero-configuration sniffing of TLS-encrypted traffic.
As a backend developer I wanted something which was similar to Wireshark or the Chrome network tab, but which intercepted requests & responses to my containers for debugging in a local dev environment. Wireshark is a great tool but it seems more geared towards lower level networking tasks. When I'm developing APIs or microservices I dont care about packets, I'm only concerned with HTTP requests and their responses. I also didn't want to have to configure a pre-shared master key to intercept TLS, I wanted it to work out-of-the-box.
Trayce is in beta phase so feedback is very welcome, bug reports too. The frontend GUI is written in Python with the QT framework. The TrayceAgent which is what does the intercepting of traffic is written in Go and EBPF.
Looks very cool. I think you should write a docker extension https://www.docker.com/products/extensions/
As long as it's in addition to the standalone app. Not everybody uses Docker Desktop.
Podman Desktop supports Docker Desktop extensions and also its own extension API. https://podman-desktop.io/extend
"Developing a Podman Desktop extension" https://podman-desktop.io/docs/extensions/developing
This tool has really cool potential!
Just one problem I noticed imminently that prevents me from using this, the docker agent container[1] isn't multi-architecture, this will be an issue on Apple Silicon devices. This is something I have some experience setting up if you are looking for help, though will take some research to figure out how to get going in github actions etc.
1: https://github.com/evanrolfe/trayce_agent/
EDIT: quick search found this post, tested on a side project repo it works great: https://depot.dev/blog/multi-platform-docker-images-in-githu...
Good point, thanks. Its only ever been tested on a Mac with an Intel chip. I will try and sort this out ASAP!
I did submit a PR with a partial implementation, well the Docker and Github side. I am useless at the C and low level code.
2 replies →
I wanted to have a play but crashed when running the container command
failed to load BPF object: function not implemented
Are you running on Mac or Linux? What linux kernel version do you have in docker, run: `uname -r`. If you are using Mac with Docker Desktop then the first thing I would do is make sure thats on the latest version.
This is a common problem however when trying to run ebpf programs in docker, see "CONFIG_BPF_SYSCALL and RLIMIT_MEMLOCK issues" here: http://andreybleme.com/2022-05-22/running-ebpf-programs-on-d...
Also see "Configuring limits in the container" here too: https://blog.bitsofnetworks.org/debug-bpf-docker-l2tpns/
+1 - I get the same error. Running on Ubuntu 20.04
This is super cool! I'm gonna give this a try shortly.
One thing that we've been craving for our infrastructure is something like Little Snitch for containers. We make extensive use of third party containers and have been very concerned about any sort of data exfiltration attempts via supply chain attacks. We have a pile of iptable rules right now, but they're error prone and difficult to rationalize about. If we had something like Little Snitch where we would get the feed of connections and allow us to approve/reject them, it would make us all sleep a lot better.
Best of luck with your endeavors!
Cool!
> It uses EBPF to achieve zero-configuration sniffing of TLS-encrypted traffic.
Can someone ELI5 this?
I won't explain what ebpf is because google can do a better job of that than me but essentially this program hooks into the low-level system calls being made by your programs, so its able to grab un-encrypted network traffic before its encrypted and sent over the network. "zero-configuration" here mean you dont have to do much manual configuration to get this working.
Huh, is TLS being handled in the kernel these days? I thought most systems still used usermode libraries.
2 replies →
IIRC EBPF is an enhanced version of the Berkeley Packet filter. In this scenario I believe it is being used for sandboxing a low level process to allow for TLS "decryption" on network connections related to Docker.
This is super cool. I wonder if there's a way to pipe this data into some analytical store so you could use it as part of a monitoring stack. Have you considered exporting the metrics you collect with this?
Slightly off topic: is there a developer proxy that has a similar UI? I don't want to wrap the app in docker just see network logs in a nice UI.
At least conceptually I think the same approach, using ebpf to capture traffic, should work pretty much the same with or without containers. So it could be fairly minor adjustment to get it working outside containers too?
This seems super cool debugging tool. Is this purely for dockerized applications or can also be used with simple microservices.
Sounds cool. Would it maintain a history of requests which I could filter by time?
Consider contributing it to macports when it's out of beta.
Can it be used to trace containers with «host» network driver?
This is an amazing and insanely helpful product
Licence? Assuming GPL if it's using Qt?
Yes, GPL3. I've added the license to the repo.
Thanks. Looks awesome. You mention the Chrome network tab but you should also check out the Firefox network tab which is probably better and more powerful, for some more inspiration.
Very useful project, keep it up